Make auto-login somewhat secure

For many users, automatic login is a great convenience—whenever you boot or reboot your OS X machine, it logs you in and runs all your login items. For other users, it can be more important than convenience. For instance, assume you’re traveling and have set up remote access to your work machine so you can transfer some important files back and forth. While you’re away, there’s a power failure. You’ve set your Mac to restart after such an event (in the Energy Saver System Preferences panel), but if you don’t have automatic login enabled, then your remote access software won’t be running. Uh oh.

However, automatic login is also a security concern—say your work machine reboots after a midnight power outage, and someone on the night shift sees it just sitting there, logged in with all your files available for browsing. That’s not good. It is obviously much safer to require a username and password to login. With a bit of work, though, you can sort of have the best of both worlds—automatic login yet with some security from snoopers.

Remember, though, that once someone has physical access to your machine, there’s really no such thing as a secure system—with physical access, a dedicated attacker will have no problems getting to your files (FileVault will make it quite a bit tougher, of course). So what follows is an approach to ward off the casual snooper, not the dedicated attacker.

What we’re going to do is enable automatic login and then instantly activate a password-protected screen saver. Anyone walking past at the exact moment of login might be able to quickly interrupt the process, but the odds of such timing are quite low. This method will definitely stop the “just walking past and saw this screen of files sitting there” snooper, but will have no impact on a dedicated attacker (who will just pull the power cord and then get into your machine in a different manner).

First, open the Security System Preferences panel, and enable the Require password to wake this computer from sleep or screen saver feature. While you’re there, make sure the Disable automatic login feature is not enabled. Now switch over to the Accounts preferences panel and click the Login Items box (you’ll probably have to click the lock icon first and authenticate). Enable the Automatically log in as feature, and set the desired account in the pop-up menu. You’ll then have to authenticate again.

Finally, click on your account in the Accounts panel (the one listed in the column under My Account), then select the Login Items tab. Click the plus sign at the bottom of the window, and leave this window open. Switch to the Finder now, and navigate into this deeply-buried folder: /System -> Library -> Frameworks -> ScreenSaver.framework -> Versions -> A -> Resources. Now position the Finder window and the Accounts window such that you can see both of them, and drag the ScreenSaverEngine file from the Finder window into the Accounts window. That will set the path to that file’s directory. As the final step, click on ScreenSaverEngine in the Accounts window (to actually select that application) and then click Add. Quit System Preferences now, as you’re done.

The next time you restart the machine, you’ll see your account automatically login, the usual startup activities occur, and then the screensaver engine will kick in. As I mentioned earlier, there’s a period of time where your desktop is visible, so someone could technically see something. But the screensaver will kick in relatively quickly, after which they’ll need your password to unlock the screen. Not perfect security, by far, but a good compromise for those who need the benefits of automatic login and use a Mac in a not totally secure location.

Shop Tech Products at Amazon